OpenSUSE Linux update for bind

1) Input validation error

EUVDB-ID: #VU4347

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9131

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause denial of service conditions.

The vulnerability exists due to assertion failure when processing DNS responses. A remote attacker can send a malformed response to an RTYPE ANY query, trigger assertion failure and cause denial of service.

Successful exploitation of the vulnerability will result in DoS attack against vulnerable application.

Mitigation

Update the affected packages.

Vulnerable software versions

ISC BIND: 9.4.0 - 9.11.0-P1

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00031.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU4349

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9147

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause denial of service conditions.

The vulnerability exists due to assertion failure when processing input data. A remote attacker can send a response containing an inconsistency among the DNSSEC-related RRsets, trigger assertion failure and cause denial of service.

Successful exploitation of the vulnerability will result in DoS attack against vulnerable application.

Mitigation

Update the affected packages.

Vulnerable software versions

ISC BIND: 9.9.9-P4 - 9.11.0-P1

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00031.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU4350

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9444

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause denial of service conditions.

The vulnerability exists due to assertion failure when processing input data. A remote attacker can send a specially crafted DS resource record in an answer, trigger assertion failure and cause denial of service.

Successful exploitation of the vulnerability will result in DoS attack against vulnerable application.

Mitigation

Update the affected packages.

Vulnerable software versions

ISC BIND: 9.6-esv-r9 - 9.11.0-P1

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00031.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.